Classification of sip messages by a syntax filter and SVMs

The Session Initiation Protocol (SIP) is at the root of many sessions-based applications such as VoIP and media streaming that are used by a growing number of users and organizations. The increase of the availability and use of such applications calls for careful attention to the possibility of transferring malformed, incorrect, or malicious SIP messages as they can cause problems ranging from relatively innocuous disturbances to full blown attacks and frauds. To this end, SIP messages are analyzed to be classified as "good" or "bad" depending on whether this structure and content are deemed acceptable or not. This paper presents a classifier of SIP messages based on a two stage filter. The first stage uses a straightforward lexical analyzer to detect and remove all messages that are lexically incorrect with reference to the grammar that is defined by the protocol standard. The second stage uses a machine learning approach based on a Support Vector Machine (SVM) to analyze the structure of the remaining syntactically correct messages in order to detect semantic anomalies which are deemed a strong indication of a possibly malicious message. The SVM "learns" the structure of the "good" and "bad" SIP messages through an initial training phase and the SVM thus configured correctly classifies messages produced by a synthetic generator and also "real" SIP messages that have been collected from the communication network at our institution. The preliminary results of such classification look very promising and are presented in the final section of this paper. A short version of this Technical Report appears in the proceedings of the IEEE Global Communications Conference (GLOBE-COM 2012), California, USA, December 3-7, 2012.